From bbf5b8ff1db19168e5bb920b5ad0b9d88199f6ad Mon Sep 17 00:00:00 2001
From: Paul Mackerras <paulus@samba.org>
Date: Sun, 24 Oct 2004 23:26:19 +0000
Subject: [PATCH] Fix use-after-free bug where we were freeing the per-user
 options set in the secrets file before they were used.  Patch from Michael
 Tokarev.

---
 pppd/auth.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/pppd/auth.c b/pppd/auth.c
index 002ec85..9a5e17e 100644
--- a/pppd/auth.c
+++ b/pppd/auth.c
@@ -73,7 +73,7 @@
  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#define RCSID	"$Id: auth.c,v 1.95 2003/06/11 23:56:26 paulus Exp $"
+#define RCSID	"$Id: auth.c,v 1.96 2004/10/24 23:26:19 paulus Exp $"
 
 #include <stdio.h>
 #include <stddef.h>
@@ -1251,14 +1251,15 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg)
     if (pap_auth_hook) {
 	ret = (*pap_auth_hook)(user, passwd, msg, &addrs, &opts);
 	if (ret >= 0) {
+	    /* note: set_allowed_addrs() saves opts (but not addrs):
+	       don't free it! */
 	    if (ret)
 		set_allowed_addrs(unit, addrs, opts);
-	    BZERO(passwd, sizeof(passwd));
+	    else if (opts != 0)
+		free_wordlist(opts);
 	    if (addrs != 0)
 		free_wordlist(addrs);
-	    if (opts != 0) {
-		free_wordlist(opts);
-	    }
+	    BZERO(passwd, sizeof(passwd));
 	    return ret? UPAP_AUTHACK: UPAP_AUTHNAK;
 	}
     }
-- 
2.39.2